From fb6cb2dbcbeb7cd7546ca4d126394720d215c310 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Mon, 10 Oct 2022 11:14:16 +0100 Subject: [PATCH] Tweak `GetAccountByPassword` more --- clientapi/auth/password.go | 6 ++++++ userapi/storage/shared/storage.go | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/clientapi/auth/password.go b/clientapi/auth/password.go index bcb4ca97..890b1818 100644 --- a/clientapi/auth/password.go +++ b/clientapi/auth/password.go @@ -68,6 +68,12 @@ func (t *LoginTypePassword) Login(ctx context.Context, req interface{}) (*Login, JSON: jsonerror.BadJSON("A username must be supplied."), } } + if len(r.Password) == 0 { + return nil, &util.JSONResponse{ + Code: http.StatusUnauthorized, + JSON: jsonerror.BadJSON("A password must be supplied."), + } + } localpart, err := userutil.ParseUsernameParam(username, &t.Config.Matrix.ServerName) if err != nil { return nil, &util.JSONResponse{ diff --git a/userapi/storage/shared/storage.go b/userapi/storage/shared/storage.go index 09eeedc9..4e28f7b5 100644 --- a/userapi/storage/shared/storage.go +++ b/userapi/storage/shared/storage.go @@ -75,7 +75,7 @@ func (d *Database) GetAccountByPassword( if err != nil { return nil, err } - if hash == "" { + if len(hash) == 0 && len(plaintextPassword) > 0 { return nil, bcrypt.ErrHashTooShort } if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(plaintextPassword)); err != nil {